What is the CVSS score of CVE-2025-64111?

CVE-2025-64111 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.2%.

Which versions of Gogs are affected by CVE-2025-64111?

Gogs self-hosted Git service installations (version 0.13.3 and earlier) face critical remote code execution risk due to an incomplete security patch.. A patch is available.

Is there a public PoC exploit available for CVE-2025-64111?

Yes, a public proof-of-concept exploit is available for CVE-2025-64111. Prioritise patching immediately. EPSS: 0.2%.

How to fix or mitigate CVE-2025-64111?

Within 24 hours: Identify all Gogs instances in your environment and their versions; isolate affected systems from production networks if possible. Within 7 days: Implement network-based access controls restricting Gogs to authorized users only; enable enhanced logging and monitoring for suspicious Git operations. Within 30 days: Migrate to a patched Gogs version (0.13.4 or later) or switch to actively maintained Git alternatives (GitLab, Gitea, GitHub Enterprise).

Gogs CVE-2025-64111

CRITICAL

OS Command Injection (CWE-78)

2026-02-06 security-advisories@github.com

GHSA-gg64-xxr9-qhjp

Command Injection Gogs Suse

9.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SUSE

CRITICAL

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 18, 2026 - 18:09 vuln.today

Public exploit code

CVE Published

Feb 06, 2026 - 17:16 nvd

CRITICAL 9.8

DescriptionGitHub Advisory

Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, due to the insufficient patch for CVE-2024-56731, it's still possible to update files in the .git directory and achieve remote command execution. This issue has been patched in versions 0.13.4 and 0.14.0+dev.

AnalysisAI

Gogs self-hosted Git service v0.13.3 has a command injection vulnerability enabling remote code execution through crafted repository operations.

Technical ContextAI

Gogs v0.13.3 has a CWE-78 OS command injection due to insufficient input validation in Git operations, allowing attackers to inject commands that execute on the Gogs server.

RemediationAI

Update Gogs. Sanitize all Git operation inputs.

Vendor StatusVendor

SUSE

Severity: Critical

Product	Status
openSUSE Leap 15.6	Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5	Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6	Fixed
openSUSE Leap 15.5	Fixed

CVE-2025-64111 vulnerability details – vuln.today

Back

Gogs CVE-2025-64111

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code